In the "Root Programs and Mass Surveillance" section, it is implied that server-side adoption of an abusive CA enables client trust, which then enables interception. This is incorrect because server-side adoption is not linked to client trust.
The Root Programs and Mass Surveillance section notes the current state of the world:
Some governments want to use root certificates for interception
These root certificates are not currently included in major international browser root stores because they are used for surveillance, which violates root program policies.
It then presents an alternative set of events under the assumption that a mechanism for trust anchor negotiation exists:
Some governments want to use root certificates for interception
These root certificates are not currently included in major international browser root stores because they are used for surveillance, which violates root program policies.
Given a mechanism for trust anchor negotiation, governments could require servers to acquire a certificate issued by the malicious root.
The government passes legal mandates to trust the roots, regardless of whether or not they conform to root program policies.
Interception via government mandated roots
This chain of events has no causal relation that does not already exist in the current state of the world. Specifically, a legal mandate could be passed today that requires client trust of abusive roots. That is, Step 5 only depends on Step 4, not Step 3.
An abusive CA presents a risk of interception. This risk exists today, for all CAs. A single abusive CA threatens the security of the entire Internet. This risk is mitigated through 2 main mechanisms:
Certificate transparency makes abuse targeting CT-enforcing clients detectable
Root programs will distrust any CA found to be used for interception
Server adoption of certificates that have been issued by a CA that is also issuing certificates that are used for interception has no impact on the risk of interception—the risk comes from including an abusive CA in the client root store and/or preventing a CA that becomes abusive from being distrusted. Ultimately, the key capability required to prevent interception is root program sovereignty.
Speculation about whether or not Step 4 (client trust) is easier to mandate after Step 3 (server issuance) happens overlooks that:
It is already possible to mandate that sites acquire (but not necessarily use) a certificate from a domestic trust regime
The fundamental security risk only resides in Step 4 (i.e. Step 4 enables Step 5, Step 3 does not enable Step 5).
This section should be updated to present a valid causal chain, or removed due to political speculation.
Political speculation prevents productive discourse about trust anchor negotiation. It decreases the set of participants able to participate in productive discussion of an Internet standard, as it presents legal and reputational risks to many individuals.
In the "Root Programs and Mass Surveillance" section, it is implied that server-side adoption of an abusive CA enables client trust, which then enables interception. This is incorrect because server-side adoption is not linked to client trust. The Root Programs and Mass Surveillance section notes the current state of the world:
It then presents an alternative set of events under the assumption that a mechanism for trust anchor negotiation exists:
This chain of events has no causal relation that does not already exist in the current state of the world. Specifically, a legal mandate could be passed today that requires client trust of abusive roots. That is, Step 5 only depends on Step 4, not Step 3.
An abusive CA presents a risk of interception. This risk exists today, for all CAs. A single abusive CA threatens the security of the entire Internet. This risk is mitigated through 2 main mechanisms:
Server adoption of certificates that have been issued by a CA that is also issuing certificates that are used for interception has no impact on the risk of interception—the risk comes from including an abusive CA in the client root store and/or preventing a CA that becomes abusive from being distrusted. Ultimately, the key capability required to prevent interception is root program sovereignty.
Speculation about whether or not Step 4 (client trust) is easier to mandate after Step 3 (server issuance) happens overlooks that:
This section should be updated to present a valid causal chain, or removed due to political speculation.
Political speculation prevents productive discourse about trust anchor negotiation. It decreases the set of participants able to participate in productive discussion of an Internet standard, as it presents legal and reputational risks to many individuals.